I am trying to understand a mysql injection not working as expected.
I have a php script that does a login based on username and password supplied on a webpage. The query string looks like this:
$querystr = "SELECT COUNT(*) FROM usertbl WHERE user='$user' and pass='$pass'";
Username and password are escaped before they are used in the querystr above. This means any apastroph(single quote) is escaped as well.
I found a blog describing this very issue here: mysql_escape_string-the-charset-vulnerability.
I tried to replicate what´s explained on that blog, but when I supply hexadecimal characters for user or pass on the website, php somehow doesn´t interpret them as hex it seems.
When I enter for the username on the webpage(password empty):
user\xbf\x27
the query logged by MySQL is:
SELECT COUNT(*) FROM usertbl WHERE user='user\xbf\x27 or 1=1--' and pass=''
So, to me it looks like the hexadecimal characters are not interpreted as such.
For some more debugging, I created the following php script, which I ran on the server:
<?php
header('Content-type: text/plain; charset=gbk');
$hex="\xbf\x27";
echo mysql_escape_string($hex);
?>
The output is:
�\'
Does anybody have an idea why it might not work for me?
Thank you
When you type $hex="\xbf\x27"; in a php script, PHP parses it and stores the string formed by the hexadecimal bytes BF 27.
When you type \xbf\x27 in a web page, it is sent verbatim to the server, so the query ends up with the literal text «\xbf\x27».
The way to exploit it would be to enter that character in the browser (eg. changing your browser encoding to iso-8859-1 and pasting a ¿), or sending a fake HTTP request where you directly insert in the wire any byte you wish. If you are performing the injection through HTTP GET, there's an easy way to insert which is using %-escapes, ie. "&user=user%bf%27%20or%201=1--&pass=".
Related
I want to do a "select all" from a table, using an URL. However the URLs stored in my database have funny characters; an URL in my database looks something like this:
http%3A%2F%2Fwww.indeed.co.uk%2Fviewjob%3Fjk%3D62643ba09fe2e936%26qd%3DUl8d87NuQZQD4fDpyxUj6Q3nWG6Z80ksB5Olwd1QWW3wG-YZeyT0yxf8fUYia7g-jLgw8Q9quijZp6li7FQTOh_bZiy_HhLQe1iSKacCzeM%26indpubnum%3D2878078796677777%26atk%3D185867g360mq25sg
How would I select this by using a normal URL string such as "http://www.indeed.co.uk/blablabla", without all the funny %3A%2F characters.
Or is there a way to insert the urls into the database without these characters getting added in. If so how?
If you use PHP, you can use the function urlencode :
$query = "SELECT * FROM table WHERE url = '" . urlencode($urlToSearch) . "'";
Documentation PHP.net
Those are URI encoded characters. It's not clear how those ended up in your database, though it's possible they weren't properly decoded before being saved.
It's sort of possible to decode these in MySQL alone but it's usually better to use a scripting language of some sort to do the conversion for you.
So, I have some additional data I want to provide with request.
For example:
/tests/46/add_key?keyword=%D0%A0%D0%BE%D1%81%D1%81%D0%B8%D0%B8&position=22
But beside this, I want to pass color query, like this:
/tests/46/add_key?keyword=%D0%A0%D0%BE%D1%81%D1%81%D0%B8%D0%B8&position=22&color=#68d574
But this way final request is:
Started POST "/tests/46/add_key?keyword=%D1%81%D0%BA%D1%80%D0%BE%D0%BC%D0%BD%D0%BE&position=200&color="
As I change query to string only with [a-zA-Z], like 'red':
Started POST "/tests/46/add_key?keyword=%D1%81%D0%BA%D1%80%D0%BE%D0%BC%D0%BD%D0%BE&position=200&color=red"
The request is what I expect.
So, the query which doesn't go to server (#68d574) contains symbol, I can't use in requests (#). Or what?
Can you explain please
The # character indicates the start of the fragment identifier, so it terminates the query string. Since the fragment id is only used client side, it isn't even sent to the server.
As with any character which has special meaning in a URI, you can include it as data by percent encoding it (in this particular case as %23).
I am concerned about inserting text in a MySQl table w.
I have to insert/update text that contains characters such as / " and '
The escape character / could be inserted only if the NO_BACKSLASH_ESCAPES SQL mode is enabled. wich interfere with the characters " and ' see this link http://dev.mysql.com/doc/refman/5.1/en/string-literals.html#character-escape-sequences
If anyone can explain to is in earth the mysql_real_escape_string() I don't came to understated
I would like to find a pure mysql solution
I am not using php. What I am trying to do here is to "simulate " Content Management System: I am about to write a C# coded solution that manage the content in its different forms(article, category ,tag, etc..) and generate .html files, the MySQl database is local in my computer next i will upload the .html files to the server.
I did this to ensure that all my html pages are html valid and because I don't trust any existent solutions (not only when it concerns coding but in life in general)
Please help
each php db connection extension (mysql, mysqli, pdo) has a special way to safe query against sql injections, when you are using mysql extension, it's strongly recommended to use mysql_real_escape_string() function to make safe all variables used in query, it's most widely used function. i think there isn't any pure solution (when you are using mysql extension in php).
from php.net:
mysql_real_escape_string()-Escapes special characters in the
unescaped_string, taking into account the current character set of the
connection so that it is safe to place it in a mysql_query().
Whatever string data can be inserted into SQL query, if formatted according to 2 rules
it is enclosed in quotes (preferably single ones)
it is passed through mysql_real_escape_string()
if both rules followed, there would be not a single problem with whatever characters, either slashes, quotes or anything.
According to your question, / has no special meaning in MySQL. It's \ that is escape character. It can be escaped by another backslash as well.
$str = 'slashes \ quotes \' or whatever " else symbols';
var_dump($str);
$str = mysql_real_escape_string($str);
$sql = "INSERT INTO table SET str='$str'";
I can't figure this out for the life of me.
I have a query that pulls translations of elements on a page. So any number of 15 languages can appear on that page. When I start to add languages like Swedish anything that has a symbol such as ö results in the whole field returning a null string.
I've verified the encoding on the table and it claims it's using UTF-8 but seeing as how this doesn't work I'm confused.
Here is the query I'm working with:
SELECT
form.form_id,
elem.elem_type,
elem.elem_name,
elem.elem_format,
elem.elem_required,
trans.trans_label,`
trans.trans_description,
trans.trans_defaultValue,
trans.trans_other,
elem.elem_advancedcommand
FROM
events_form form
LEFT JOIN
events_form_elements elem
ON
form.event_id = elem.event_id
INNER JOIN
events_form_translations trans
ON
elem.elem_id = trans.elem_id
INNER JOIN
events_form_languages lang
ON
trans.lang_id = lang.lang_id
WHERE
form.form_id = '{$formid}' AND lang.language = '{$language}'
ORDER BY
elem.elem_sortorder
Now I tried to do something like:
CONVERT(CAST(trans.trans_description as BINARY) USING latin1) as trans_description,
To force it to covert the encoding but that doesn't yield a result at all.
After I get the result it's immediately json_encoded and returned to the user (Ajax Request). I DON'T think it's the json_encode as doing a print_r of the output array yields the same issues.
Also.. lastly, the system I'm building on is using xPDO so I'm not too sure if that's the issue either.
EDIT:
It seems that PHP IS returning a correct value or at least a value for example here is a print_r dump:
[trans_label] => Ditt f�rnamn?
[trans_description] =>
[trans_defaultValue] => First Name
So it seems that when my json_encode touches that string is when it turns the string to null.
Your PDO connection string should specify the encoding. For example:
mysql:host=localhost;port=3306;dbname=test;charset=utf8
This controls the encoding that the database driver will use when it returns a result, and the encoding the driver assumes your queries are in. If you don't specify it, the default encoding will be used. Often the default is latin1.
You can confirm this by printing the hexadecimal representation of the data with bin2hex in PHP: the ö in förnamn is being returned as f6. If the text was encoded in UTF-8 you would obtain c3b6.
You said nothing about the encoding of your web pages.
Do you have that line in the <head> section of your page to force the encoding to UTF-8?
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
I've had problems endcoding letters to my native language Icelandic but ive found a mutual solution for all utf8 letters.
right after mysql_select_db and before mysql_query insert the following:
mysql_query("SET character_set_connection=utf8,
character_set_results=utf8,
character_set_client=utf8", $con);
Where $con is the connection to mysql
Happy coding..
Your answer is null after conversion due to incompatibility of data types.But showing European or Arabic characters on the page is quite simple.I had the same problem with Arabic language, but after few experiment its works fine now.
If you want to show those European characters on the page (jsp,php,html) first set the page encoding to UTF-8 like: -
pageEncoding="utf-8"
And also you need some changes on your database connection class for utf-8 characters
Use the code below:-
jdbc:mysql:your_ipaddress":3306/"+db+"?requireSSL=false&useUnicode=true&characterEncoding=UTF-8
Hope it will help you.
I have a couple escaped characters in user-entered fields that I can't figure out.
I know they are the "smart" single and double quotes, but I don't know how to search for them in mysql.
The characters in ruby, when output from Ruby look like \222, \223, \224 etc
irb> "\222".length => 1
So - do you know how to search for these in mysql? When I look in mysql, they look like '?'.
I'd like to find all records that have this character in the text field. I tried
mysql> select id from table where field LIKE '%\222%'
but that did not work.
Some more information - after doing a mysqldump, this is how one of the characters is represented - '\\xE2\\x80\\x99'. It's the smart single quote.
Ultimately, I'm building an RTF file and the characters are coming out completely wrong, so I'm trying to replace them with 'dumb' quotes for now. I was able to do a gsub(/\222\, "'").
Thanks.
I don't quite understand your problem but here is some info for you:
First, there are no escaped characters in the database. Because every character being stored as is, with no escaping.
they don't "look ilke ?". I's just wrong terminal settings. SET NAMES query always should be executed first, to match client encoding.
you have to determine character set and use it on every stage - in the database, in the mysql client, in ruby.
you should distinguish ruby strings representation from character itself.
To enter character in the mysql query, you can use char function. But in terminal only. In ruby just use the character itself.
smart quotes looks like 2-byte encoded in the unicode. You have to determine your encoding first.